Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Outline New applications demand multi-match classification Multi-Match classification using TCAM  Order rules in TCAM  Remove negations Simulations results Conclusions

Today’s Packet Classification Systems A classifier consists of N rules, each with F fields  Next hop routing using destination IP (F=1)  Filters from firewall (F=5) Single-Match Classification:  Assumption: all the rules are associated with priorities  Only the highest priority match matters  E.g., longest prefix match Source IPDestination IPSource PortDestination PortProtocolActionPriority **15Tcpdrop2 128.* *25tcpallow1

New Applications Intrusion Detection Systems (e.g., SNORT)  Rule header: a 5-field classification rule for the packet header  Rule options: specify intrusion patterns for the entire packet scanning. Packet header Match A packet may be related to multiple rules (matching rule headers) Multi-Match Classification: Identify all the matching rule headers Packet Payload Scan

In some edge networks  Each box introduces extra delay  Common functions like classification are repeatedly applied  Highly inefficient! Programmable Network Element  Support multiple functions in one device  Each packet may related to different set of functions E.g., HTTP packets related to firewall and HTTP load balancer E.g., VPN packets related to encryption / decryption  Multi- Match Classification: identify the all the relevant functions New Applications (cont.)

Multi-Match v.s. Single-Match Classification A classifier consists of N rules, each with F fields  Single-Match: Report the highest priority rule  Multi-Match: Report all the matching rules Single-match classification  Software solutions: O(logN) query time with O(N F ) storage  Real-world rule sets are simpler than theoretical worst case State of art heuristic algorithms: memory accesses Multi-Match classification  More complex than single-match  Complex follow-up processing  Tighter time requirements memory accesses  slow Can hardware solution help?

Ternary-CAM (TCAM) Fully associative memory: compares input string with all the entries in parallel  If multiple matches, report index of the first match Each cell takes one of three logic states  ‘0’, ‘1’, and ‘X’(don’t care) Current TCAM technology  Fast Match Time: 4 ns  Size: 1-2MB  Commercially used for single-match classification

Use TCAM for Multi-Match Classification Problem: TCAM only reports the first matching result  Return a bit vector of matched results?  Not a good solution because processing cost for bit vector is O(N) Solution: Add additional intersection rules  Upper bound of intersections O(N F )  Real-world rule set has far less intersections  Retrieve all matching results solely based on the first matched result --- TCAM Compatible Order

TCAM Compatible Order Relationship between rules E i and E j, with corresponding matched list M i and M j  Exclusive (E i E j = ): i and j can have any order.  Subset (E i E j ): i<j and M i M j.  Superset (E i E j ): j<i and M i M j.  Intersection (E i E j = ): add a rule E l =(E i E j ), (l<i, l<j), (M i M j ) M l.

Pseudo-Code for Generating TCAM Compatible Order Extend_rule_set(R){ E = ; for all the rule Ri in R E=Insert(Ri, E); return E; } Insert(x, E){ for all the rule Ei in E { Switch the relationship between Ei and x: Case exclusive: continue; Case subset: Mi = Mx Mi; continue; Case superset: Mx = Mx Mi; add x before Ei ; return E; Case intersection: If (Ei x E and M x Mi) add t = Ei x before Ei ; Mt = Mx Mi } add x at the end of E and return E; }

Example Original rule set Extended rule set in TCAM compatible order 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139 Extended rules Matched List Tcp $SQL_SERVER 1443 $EXTERNAL_NET 1391,3 Tcp $SQL_SERVER 1433 $EXTERNAL_NET any1 Tcp $EXTERNAL_NET 119 $HOME_NET 1392,3 Tcp $EXTERNAL_NET 119 $HOME_NET any2 Tcp any any any 1393 $EXTERNAL_NET $EXTERNAL_NET=!$HOME_NET

Representing Negation with TCAM 80’s binary form Negation of 80 (!80=[0,79], [81,2^16-1])  = = is only a subset of !80  Need 16 TCAM entries Multiple negations in one rule  tcp $EXTERNAL_NET any $EXTERNAL_NET !80 requires up to 32*32*16=16384 TCAM entries 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 0xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx0x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1

Remove Negation Regions generating negation:  A, B, D Regions with no negation  C, A C, C D, A B C D 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139

Remove Negation Can we extend rules in D to D C?  Yes, We can! With a first match TCAM 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139 TCAM entriesMatched List tcp $HOME_NET any $HOME_NET any $HOME_NET any $HOME_NET any Tcp $SQL_SERVER 1443 any 139 1,3 Tcp $SQL_SERVER 1433 any any 1

Removing Negation Rules in region C: “* $HOME_NET+ * $HOME_NET+ *” Separator rule 1: “any $HOME_NET any $HOME_NET any” Rules in region D, specified in the form of region C and D: “* $HOME_NET+ * any *” Rules in region A, specified in the form of region A and C: “* any * $HOME_NET+ *” Separator rule 2: “any $HOME_NET any any any” Separator rule 3: “any any any $HOME_NET any” Rules applying to region B, specified in the form of region A, B, C and D: “* any * any *”

Extended rulesMatched ListTCAM entries needed Tcp $SQL_SERVER 1443 $EXTERNAL_NET 1391,332 Tcp $SQL_SERVER 1433 $EXTERNAL_NET any132 Tcp $EXTERNAL_NET 119 $HOME_NET 1392,332 Tcp $EXTERNAL_NET 119 $HOME_NET any232 Tcp any any any TCAM Index TCAM entriesMatched List 1tcp $HOME_NET any $HOME_NET any $HOME_NET any $HOME_NET any 3Tcp $SQL_SERVER 1443 any 1391,3 4Tcp $SQL_SERVER 1433 any any1 5Tcp any 119 $HOME_NET 1392,3 6Tcp any 119 $HOME_NET any2 7Tcp any any any % of TCAM entries saving

Analysis of Negation Removing Scheme More than one negations in each field  Both !80 and !90 in the source port field  !subnet1 and !subnet2 in the destination IP field Generation of algorithm  For one field F i, K i unique negations with disjoint non-negation forms  S i =K i separator rules K i unique negations with intersected non-negation forms  S i =2 Ki separator rules  Total separator rules: removing $EXTERNAL_NET from source and destination IP addresses, S 1 = S 2 =1  a total of 3 separator rules

Simulation Results SNORT intrusion detection rule set VersionRule Set Size # of rules in extended set Single negation Double negations Triple negations , %0.975% , %1.422%0.025% , %1.420%0.025% , %1.363%0.023%

Performance of Negation Removing Scheme Snort version With NegationNegation RemovedTCAM Space saved Extended rule set size TCAM Entries needed Extended rule set size TCAM Entries needed ,693120,4094,1017, % ,009145,2084,4118, % ,015145,3524,4208, % ,330151,9234,7978, % Fit all Snort rule headers into a 256KB TCAM  Retrieve multi-match classification result with one TCAM lookup and one SRAM lookup (<10ns)

Effect of Negation

Conclusions New applications demand for multi-mach classification TCAM-based solution to solve the multi- match classification problem  Report all the matching results with a single TCAM lookup and a SRAM lookup Negation removing scheme can save 93% to 95% of the TCAM space